[Freeipa-devel] [PATCH] 123 Use http instead of https for OCSP and CRL URLs in IPA certificate profile
Dmitri Pal
dpal at redhat.com
Tue Apr 9 15:18:10 UTC 2013
On 04/09/2013 10:19 AM, Simo Sorce wrote:
> On Tue, 2013-04-09 at 16:02 +0200, Martin Kosek wrote:
>> On 04/08/2013 05:09 PM, Martin Kosek wrote:
>>> On 04/08/2013 03:47 PM, Dmitri Pal wrote:
>>>> On 04/08/2013 08:42 AM, Martin Kosek wrote:
>>>>> On 04/08/2013 10:48 AM, Jan Cholasta wrote:
>>>>>> On 8.4.2013 10:47, Jan Cholasta wrote:
>>>>>>> Hi,
>>>>>>>
>>>>>>> this patch fixes <https://fedorahosted.org/freeipa/ticket/3552>.
>>>>>>>
>>>>>>> Honza
>>>>>>>
>>>>>> Re-sending with correct subject.
>>>>>>
>>>>> I tested the change both for upgrades and for fresh installs and it worked fine
>>>>> both cases, even when testing with Firefox enforcing mode.
>>>>>
>>>>> So far, as the biggest issue in current process I see NSS not being able to
>>>>> fallback to other defined OCSP responder (I tested with Firefox 20). This way,
>>>>> Firefox will fail validating the FreeIPA site when the first tested OCSP
>>>>> responder is not available (e.g. the original IPA CA signing the http cert, or
>>>>> an `ipa-ca.$domain` host that is currently not up).
>>>> Have we filed a ticket with FF?
>>> AFAIU, this is rather NSS issue, that Firefox issue. There is a bug open for NSS:
>>> https://bugzilla.mozilla.org/show_bug.cgi?id=797815
>>>
>>> Rob seems to have more context about this bug background.
>>>
>>> Martin
>>>
>> We may want to wait with pushing this patch until we get some response in the
>> NSS Bugzilla above. If our request is rejected, we may be forced to use just a
>> single CRL/OCSP (which would be probably the general one) and thus supersede
>> patch 123.
> Well it will have to depend on when you create certs.
> The first IPA server own cert should probably point at the ipa server
> name. Then we should warn in bold letters that the user should create
> such and such a DNS name if they did not let IPA handle DNS.
>
> If we can handle DNS then any other use can refer to the common name
> which can be an A name with multiple entries (each IPA CA server should
> be listed there by default and the record should be changed at ca
> replicas install/decommission time, however we should allow admins to
> add/remove names as well manually in case they want to add proxies otr
> conceal some of the CA servers.
>
> We may also want to change the RA client code to use that record to
> fetch certs.
>
> Simo.
>
I see a lot of RFEs in this comment.
Are we going to file them?
--
Thank you,
Dmitri Pal
Sr. Engineering Manager for IdM portfolio
Red Hat Inc.
-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/
More information about the Freeipa-devel
mailing list